讓 Squid 使用 kerberos 和 Windows 2008/2003/7/XP 進行身份驗證
這是我最近設置的東西,非常痛苦。我的環境變得越來越好,可以在不可見的情況下針對 Windows 2008 Server 對 Windows 7 客戶端進行身份驗證。NTLM 並不是一個真正的選項,因為使用它需要在每個客戶端上更改系統資料庫。
自 Windows 2000 以來,MS 一直在推薦 Kerberos,所以現在是時候使用該程序了。
非常感謝 Squid 郵件列表的 Markus Moeller 幫助完成這項工作。
這是使用 Squid 3.0 設置的,也已經使用 Squid 3.1 進行了測試,應該可以與 Squid 2.7 一起使用。您的 Windows 使用者必須是 Active Directory 中 SQUID_USERS 組的成員(無論如何,對於這種情況)。
在 Windows 方面,Windows XP 和 Windows 2007 已經針對 Windows 2008 進行了測試,Windows XP 針對 Windows 2003 進行了測試。
請注意,幾乎每一步都需要前一個步驟才能繼續。
如果您有問題,DNS始終是第一個查看的地方。兩台 Windows 機器都應該能夠按名稱 ping Linux 伺服器(反之亦然),而且您
ipconfig /flushdns
有時可能需要執行。如果您想真正確定沒有任何問題,重新啟動也可能會有所幫助。域名資訊
- Windows 域:
dom.local
- 域伺服器:
server.dom.local
,172.17.3.11
- CentOS 魷魚伺服器:
centos.dom.local
,172.17.3.10
域伺服器設置
- 在 DNS 配置中創建
dom.local
反向區域。- 創建
centos.dom.local
指向的靜態 (‘A’) 記錄,當詢問您是否也設置反向 PTR 時172.17.3.10
選擇是。視窗 2008
對於 Windows 2008 伺服器,您需要安裝Hotfix 951191。
Linux 設置
小包
安裝包
$ yum install -y cyrus-sasl-gssapi cvs autoconf automake openldap openldap-devel krb5-workstation krb5-devel gcc-c++
安裝
msktutil
. 您需要在建構它之前對其進行修補。$ wget http://download.systemimager.org/~finley/msktutil/msktutil_0.3.16.orig.tar.gz $ wget http://download.systemimager.org/~finley/msktutil/msktutil_0.3.16-7.diff.gz $ gunzip msktutil_0.3.16-7.diff.gz $ tar zxf msktutil_0.3.16.orig.tar.gz $ cd msktutil-0.3.16 $ patch < ../msktutil_0.3.16-7.diff $ ./configure && make && make install
編譯最新的魷魚
_
遏制_
ldap。$ cvs -z3 -d:pserver:anonymous@squidkerbauth.cvs.sourceforge.net:/cvsroot/squidkerbauth co -P squid_kerb_ldap $ cd squid_kerb_ldap $ ./configure && make
域名系統
用於
system-config-network
配置指向域控制器的 DNS 點,將主機名設置為centos.dom.local
.重啟
檢查反向 DNS 是否正常工作:$ dig -x 172.17.3.10
你應該進入
centos.dom.local
答案部分。如果你不這樣做**,那麼繼續下去是沒有意義的**。如果沒有正確配置 DNS,Kerberos 身份驗證將無法工作。Kerberos
你
krb.conf
應該看起來像這樣:[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = DOM.LOCAL dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h # For Windows XP: default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 # For Windows 2007: # default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 # default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 # permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 forwardable = yes [realms] DOM.LOCAL = { kdc = 172.17.3.11:88 admin_server = 172.17.3.11:7491 default_domain = dom.local } [domain_realm] .dom.local = DOM.LOCAL dom.local = DOM.LOCAL [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false }
創建密鑰表:
$ kinit administrator $ msktutil -c -b "CN=COMPUTERS" -s HTTP/centos.dom.local -h centos.dom.local -k /etc/HTTP.keytab --computer-name centos-http --upn HTTP/centos.dom.local --server server.dom.local --verbose
對於 Windows 2008,您需要添加
--enctypes 28
到msktutil
命令中。烏賊
安裝魷魚:
$ wget http://www.squid-cache.org/Versions/v3/3.0/squid-3.0.STABLE18.tar.gz $ tar zxvf squid-3.0.STABLE18.tar.gz $ cd squid-3.0.STABLE18 $ ./configure --enable-negotiate-auth-helpers=squid_kerb_auth --enable-stacktraces --prefix=/opt/squid-3.0 $ make $ make install $ cp helpers/negotiate_auth/squid_kerb_auth/squid_kerb_auth /opt/squid-3.0/sbin/ $ cp ~/squid_kerb_ldap/squid_kerb_ldap /opt/squid-3.0/sbin/ $ cd /opt/squid-3.0/ $ mv etc/squid.conf etc/squid.conf.ORIG
在 squid.conf 中設置適當的參數:
auth_param negotiate program /opt/squid-3.0/sbin/squid_kerb_auth -d -s HTTP/centos.dom.local auth_param negotiate children 10 auth_param negotiate keep_alive o external_acl_type SQUID_KERB_LDAP ttl=3600 negative_ttl=3600 %LOGIN /opt/squid-3.0/sbin/squid_kerb_ldap -d -g SQUID_USERS acl AUTHENTICATED proxy_auth REQUIRED acl LDAP_GROUP_CHECK external SQUID_KERB_LDAP acl localnet src 172.17.3.0/24 # RFC1918 possible internal network #http_access allow localnet #http_access allow AUTHENTICATED http_access allow LDAP_GROUP_CHECK cache_dir ufs /var/cache/squid-3.0 100 16 256 access_log /var/log/squid-3.0/access.log squid cache_log /var/log/squid-3.0/cache.log cache_store_log /var/log/squid-3.0/store.log pid_filename /var/run/squid-3.0.pid cache_effective_user squid cache_effective_group squid coredump_dir /var/cache/squid-3.0
設置使用者和目錄:
$ chown -R squid:squid /opt/squid-3.0/ $ mkdir /var/cache/squid-3.0 $ chown -R squid:squid /var/cache/ $ mkdir /var/log/squid-3.0 $ chown -R squid:squid /var/log/squid-3.0/ $ chown squid:squid /etc/HTTP.keytab
創建記憶體:
$ /opt/squid-3.0/sbin/squid -z
初始化腳本
現在這很重要:Squid 需要設置一些環境變數才能正常執行。最好的方法是使用初始化腳本。這是一個稍微編輯過的 CentOS:
#!/bin/bash # squid This shell script takes care of starting and stopping # Squid Internet Object Cache # # chkconfig: - 90 25 # description: Squid - Internet Object Cache. Internet object caching is \ # a way to store requested Internet objects (i.e., data available \ # via the HTTP, FTP, and gopher protocols) on a system closer to the \ # requesting site than to the source. Web browsers can then use the \ # local Squid cache as a proxy HTTP server, reducing access time as \ # well as bandwidth consumption. # pidfile: /var/run/squid-3.0.pid # config: /opt/squid-3.0/etc/squid.conf PATH=/usr/bin:/sbin:/bin:/usr/sbin export PATH # Source function library. . /etc/rc.d/init.d/functions # Source networking configuration. . /etc/sysconfig/network # don't raise an error if the config file is incomplete # set defaults instead: SQUID_OPTS=${SQUID_OPTS:-"-D"} SQUID_PIDFILE_TIMEOUT=${SQUID_PIDFILE_TIMEOUT:-20} SQUID_SHUTDOWN_TIMEOUT=${SQUID_SHUTDOWN_TIMEOUT:-100} KRB5_KTNAME=/etc/HTTP.keytab export KRB5_KTNAME # determine the name of the squid binary [ -f /opt/squid-3.0/sbin/squid ] && SQUID=/opt/squid-3.0/sbin/squid prog="$SQUID" # determine which one is the cache_swap directory CACHE_SWAP=`sed -e 's/#.*//g' /opt/squid-3.0/etc/squid.conf | \ grep cache_dir | awk '{ print $3 }'` [ -z "$CACHE_SWAP" ] && CACHE_SWAP=/var/spool/squid-3.0 RETVAL=0 start() { #check if the squid conf file is present if [ ! -f /opt/squid-3.0/etc/squid.conf ]; then echo "Configuration file /opt/squid-3.0/etc/squid.conf missing" 1>&2 exit 6 fi . /etc/sysconfig/squid # don't raise an error if the config file is incomplete. # set defaults instead: SQUID_OPTS=${SQUID_OPTS:-"-D"} SQUID_PIDFILE_TIMEOUT=${SQUID_PIDFILE_TIMEOUT:-20} SQUID_SHUTDOWN_TIMEOUT=${SQUID_SHUTDOWN_TIMEOUT:-100} if [ -z "$SQUID" ]; then echo "Insufficient privilege" 1>&2 exit 4 fi for adir in $CACHE_SWAP; do if [ ! -d $adir/00 ]; then echo -n "init_cache_dir $adir... " $SQUID -z -F -D >> /var/log/squid-3.0/squid.out 2>&1 fi done echo -n $"Starting $prog: " $SQUID $SQUID_OPTS >> /var/log/squid-3.0/squid.out 2>&1 RETVAL=$? if [ $RETVAL -eq 0 ]; then timeout=0; while : ; do [ ! -f /var/run/squid-3.0.pid ] || break if [ $timeout -ge $SQUID_PIDFILE_TIMEOUT ]; then RETVAL=1 break fi sleep 1 && echo -n "." timeout=$((timeout+1)) done fi [ $RETVAL -eq 0 ] && touch /var/lock/subsys/squid-3.0 [ $RETVAL -eq 0 ] && echo_success [ $RETVAL -ne 0 ] && echo_failure echo return $RETVAL } stop() { . /etc/sysconfig/squid # don't raise an error if the config file is incomplete. # set defaults instead: SQUID_SHUTDOWN_TIMEOUT=${SQUID_SHUTDOWN_TIMEOUT:-100} echo -n $"Stopping $prog: " $SQUID -k check >> /var/log/squid-3.0/squid.out 2>&1 RETVAL=$? if [ $RETVAL -eq 0 ] ; then $SQUID -k shutdown & rm -f /var/lock/subsys/squid-3.0 timeout=0 while : ; do [ -f /var/run/squid-3.0.pid ] || break if [ $timeout -ge $SQUID_SHUTDOWN_TIMEOUT ]; then echo return 1 fi sleep 2 && echo -n "." timeout=$((timeout+2)) done echo_success echo else echo_failure echo fi return $RETVAL } reload() { . /etc/sysconfig/squid # don't raise an error if the config file is incomplete. # set defaults instead: SQUID_OPTS=${SQUID_OPTS:-"-D"} $SQUID $SQUID_OPTS -k reconfigure } restart() { stop start } condrestart() { [ -e /var/lock/subsys/squid-3.0 ] && restart || : } rhstatus() { status $SQUID && $SQUID -k check } probe() { return 0 } case "$1" in start) start ;; stop) stop ;; reload) reload ;; restart) restart ;; condrestart) condrestart ;; status) rhstatus ;; probe) exit 0 ;; *) echo $"Usage: $0 {start|stop|status|reload|restart|condrestart}" exit 2 esac exit $?
這些是重要的行:
KRB5_KTNAME=/etc/HTTP.keytab export KRB5_KTNAME
客戶端機器
centos.dom.local
使用 port將您的代理設置為伺服器3128
。使用完全限定域名而不是 IP 地址很重要。